A helping hand for a smart hand: How we hacked it so others wouldn’t

“The S in IoT stands for security” is perhaps the most over-told joke of recent years in the field of information security. Sure enough, security experts have long made fun of the Internet of Things, and every hacker conference worth its salt always has a talk about yet another so-called smart device having been hacked in some crazy way. Everyone is so used to such cases that they are surprised when the opposite happens and researchers conclude that a device is actually rather secure.

Usually, research focuses on IoT vulnerabilities and how they threaten users. But every coin has a flip side: Vulnerabilities in smart devices can be dangerous for the developers too; they can cause data leakage or damage, disrupt infrastructure, and render the devices themselves broken or useless.

Let’s start with the good news. First, our experts did not find any vulnerabilities in the firmware of the prosthetic limbs themselves. Second, in Motorica’s system data moves in one direction only — from the limb to the cloud. This means, that it is not possible, for example, to hack into a hooked-up smart limb and take control of it remotely.

However, further study revealed some serious flaws in the development of the cloud infrastructure for collecting and storing telemetry data obtained from prosthetic limbs, allowing hackers to:

Gain access to the data of all system accounts (both user and admin), including unencrypted logins and passwords.

Read, delete, and modify telemetry data stored in the database, or add new entries.

Launch a DoS attack against an administrator, blocking login to the system.

These vulnerabilities potentially allow user data leakage or damage. Moreover, the last of the above bullet points would significantly increase the time needed to respond to the hack.

Naturally, our researchers reported all detected vulnerabilities to Motorica, and to date all found problems have been fixed. Unfortunately, this victory is just one minor battle in the far wider war to make the Internet of Things safe. Here’s what needs to change:

Developers should be aware of the most common threats and best practices for creating secure code. This is crucial at all stages of development — our research clearly illustrates that errors in the creation of one part of the system can have a catastrophic knock-on effect.

Manufacturers of smart gadgets should introduce bug bounty programs, which are very effective for finding and fixing vulnerabilities.

Ideally, products under development should undergo security assessments by information security experts.

This post tags:

Marvin the Robot

Latest posts:

Share it using the social you like:

Send to Kindle

Enter your email address to subscribe to this blog and receive notifications of new posts by email

*

*

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.